================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
================================================
Advisory Information
--------------------
Advisory Name : Several bugs found in "Spyke's PHP Board"
Author : Marc Bromm <theblacksheep@fastmail.fm> Germany
Discover by : Marc Bromm <theblacksheep@fastmail.fm> Germany
Release Date : 9. June 2003
Application : Spyke's PHP Board (textfile based board)
Vendor Homepage : http://www.spyke-online.de
Vulnerable Versions: v2.1 (maybe older)
Platforms : OS Independent, PHP
Severity : High
######Overview:
"Spyke's PHP Board" is a small textfile based PHP board. You have to
register to write messages. Also an admin area exist. There you can
add/delete threads, add/delete topics.
The website www.spyke-online.de is the official website where you can get
it.
######Exploit:
1. Get userinformation
All information of a user like password (plaintext), e-mail, icq number,
signatur ... are stored in textfiles in the directory "user/".
Every file has the name of the user.
So if you register as "theblacksheep" your information are stored in:
user/theblacksheep.txt
So it is possible for you to open the files with your browser to get the
information.
2. Get the admin password and username
In the root directory you can find a file called "info.dat". It looks
like:
<?php
$boardname="Spykes PHP Board";
$hintergrund="#C0C0C0";
$linkfarbe="#333333";
$table1="#606060";
$table2="#F0F0F0";
$table3="#A0A0A0";
$text="#000000";
$adminname="adminname";
$adminpw="adminpassword";
$topicdelzahl="15";
$phpendung = ".php";
?>
So only open this file with your browser and get the admin information.
Then you can log in as admin. So you have full control.
Also some more bugs exist. So it is also possible to:
--> Create topic in not existing thread (found by DigitalAcid)
--> Change anyone's account without knowing their password (FirebirdGM)
######Fix:
It is not possible to fix that holes. (You can do it but then you have to
change everything [how the whole information are stored])
######Vendor Response:
For "Spyke PHP Board" no support exist.
Greetz to:
erik, FirebirdGM, DigitalAcid
==================================================
--
theblacksheep@fastmail.fm
--
http://www.fastmail.fm - Or how I learned to stop worrying and
love email again